With innovative Apple iOS devices and corporate use of Mac OS computers rapidly growing, criminals are finding these devices more attractive for attack.
As a result, concern over Apple iOS devices such as iPhones and iPads that access corporate networks is growing.
Company executives and employees bring their own iPhones and iPads into the office and use them instead of company-issued devices.
This trend will only grow: iPhones have penetrated the smartphone market, making up roughly 16 percent of the smartphone market in the first quarter of 2010, up more than five percent from the prior year.
There have also been highly publicized exploits of resident native applications, such as Safari and iTunes and authorized third-party applications, such as Adobe Reader and QuickTime.
However from a security standpoint, Apple has historically enforced a rigorously closed environment for its iOS devices. To get an application authorized, developers must use the iPhone SDK, and then submit the application for approved distribution over the App Store to locked-down iOS devices.
iOS also applies additional security features, such as sandboxing, at the device itself to keep applications from accessing data stored by other applications. All of these security measures are useless if an iOS device is jailbroken.
Jailbreaking sidesteps the closed Apple environment to enable the installation of unauthorized applications.
At first, these sideloaded applications focused on consumer workarounds to Apple restrictions on cell carriers or 3G bandwidth. Today, their breadth and use have expanded. And in an attempt to give users access to critical business resources over iOS devices, many IT departments are bypassing Apple restrictions to sideload custom applications. This includes mobile iPad clients that can interact remotely with business applications on network servers or in the cloud.
While the U.S. Digital Millennium Copyright Act legally sanctions jailbreaking, the practice exposes iOS devices to a number of serious issues.
It violates the license agreement, voids the warranty, and can potentially “brick” the device and make it unusable. More importantly, jailbroken devices become vulnerable to malicious manipulation and attacks by trojans, worms and other malware-laden applications.
A recent example is the Ikee.b worm that launched over jailbroken iPhones and compromised online transactions with Dutch bank ING Direct.
Apple even recently patched vulnerabilities in Adobe software enabling hackers to remotely jailbreak iOS devices over the web.
Criminals can compromise jailbroken iOS devices to steal confidential, proprietary, financial, and identity data. They can intercept email, instant messages, and digital conversations. Finally, cybercriminals can track device locations and act as a direct conduit for malware distribution into corporate networks.
Since jailbreaking is legal, easy, and in many cases even sanctioned by IT, iOS devices cannot be trusted as corporate network endpoint devices.
Even non-jailbroken iOS devices hide a dirty secret: An iPhone user could unknowingly infect his or her device while accessing a URL over a public wireless network and then spread malware to the corporate network after connecting over the corporate WLAN or VPN connection. In this case, encryption alone will not help if it only encrypts malware traffic.
What's the way out of this situation?
Banning Apple devices from corporate premises is not a viable option. IT may not be able to control iOS devices, but administrators can control the data and applications traversing the network gateway.
Here are five areas for IT to focus their defense and protect their network against emerging threats via Apple devices.
- Comprehensively scan and control of traffic between iOS devices and the network. IT can deploy a next-generation firewall to conduct deep packet inspection of all iOS traffic traversing the gateway.
- Establish secure SSL VPN access to corporate resources. IT can deploy a centralized SSL VPN portal to provide authenticated and encrypted web-based access to network resources from iOS devices.
- Establish smartphone wireless access security. IT can deploy security for wireless networks at the WLAN gateway that is at least on par with wired networks running deep packet inspection.
- Establish controls over application traffic. IT can deploy application intelligence and control technology to identify, categorize, control and report the use of potentially compromised applications.
- Enforce jailbreaking policy. Jailbroken devices that connect to the corporate network present a serious threat. IT should educate users on the inherent dangers, and restrict network access from devices running sideloaded applications.
Today, some corporations may see only a fraction of their business computers running on Mac OS or iOS. But the trend shows that Apple iOS devices will continue to expand into the corporate network environment.
While Apple's closed platform approach has helped limit widespread attacks, corporate IT should not overlook inherent vulnerabilities from authorized third-party applications.
Network administrators also need to pay attention to unauthorized applications that are side-loaded onto jailbroken devices. Ultimately, IT cannot fully control any smartphone or mobile pad platform. Accordingly, IT should treat iOS devices as untrusted network endpoints and apply appropriate security countermeasures both at the gateway and, where possible, over communications channels such as VPNs and WLANs.
